UK Binary Code

Even when an employee acts on his own to breach the company's data, the company could still be held liable, according to U.K. courts involved in the country's first data breach class action lawsuit.

In Various Claimants v. Wm Morrisons Supermarket, a U.K. supermarket chain was able to escape primary liability claims brought by 5,000-plus employees whose data was exposed. However, Morrisons hasn't been able to dissuade U.K. courts to drop the vicarious liability charge. On April 15, the Supreme Court of the United Kingdom decided to hear the appeal.

Lawyers say they are watching the case closely because of the implications of the court finding a company vicariously liable even when it has cybersecurity controls in place and the breach is caused by an employee acting inappropriately on his or her own accord. Vicarious liability in U.K. employment law refers to an employer's liability for its employee's actions. 

The case stems from a 2014 incident where a Morrisons senior internal auditor uploaded a file containing nearly 100,000 Morrisons employees' personal data, including their names, addresses, birth dates, phone numbers, bank account numbers and their salaries at Morrisons.

The employee was found guilty of committing the data breach and was sentenced to eight years in prison. Later, 5,000 Morrisons employees whose data was exposed filed a class action suit against the company, claiming the supermarket chain had primary liability under the country's Data Protection Act and had vicarious liability.

The High Court dismissed the primary liability claims but found Morrisons can be held vicariously liable under English common law for the data breach caused by the action of its then-employee.

Morrisons disagreed and appealed to the U.K. Court of Appeal, arguing that the Data Protection Act excluded vicarious liability and that the employee's actions didn't occur during the “course of employment.”

“The headline point is the company could be liable for the actions of their employees even when the employee is doing something they aren't authorized to do,” said Steven Hadwin, Norton Rose Fulbright's risk advisory and cybersecurity head of operations.

While the courts in the Morrisons case have recommended companies use insurance policies to cover vicarious liability, DLA Piper partner and U.K. data protection co-chairman Andrew Dyson suggested companies also implement data loss prevention tools, track what employees are doing with company data and screen a job applicant's prior history to spot any possible issues.

“The ultimate risk [with this approach to vicarious liability] is that a company finds itself responsible for data loss caused by a rogue employee,” Dyson said. ”Loss which it can be very hard, if not impossible, to control. Risk and compliance teams should reflect on this exposure when looking at the adequacy of controls that are in place.”

If the U.K.'s Supreme Court doesn't reverse the lower courts, the decision could also signal to claimants they have another path to gain compensation after a data breach.

“In theory if you want to bring a consumer claim … you have another avenue available to you,” Hadwin said. He added there is an incentive at aiming a suit at a successful company rather than a single individual. “You instead bring a claim against a company and the company has deeper pockets then the individual,” he said.

Indeed, while lawyers said damages for data breaches in the United Kingdom are usually low and hover around $1,300 per claim, a large class such as the 5,000 people suing Morrisons could cost the organization $6.5 million before legal fees.

However, the floodgates haven't necessarily opened for data breach class actions in the United Kingdom. Hadwin noted, “The courts are interpreting the rights that people have under [the General Data Protection Regulation] and compensation restrictively and not overly broad.”

While the Morrisons case has caught lawyers' attention for its legal precedent, the GDPR and constant news of massive data breaches have made consumers more aware of their data rights too.

“More class actions in this area is inevitable just because we have this greater consumer awareness, I suppose, of data protection rights and greater transparency rights,” said Bryony Hurst, a London-based dispute resolution group partner at Bird & Bird.